What happened to the Notepad++ update process?

The Notepad++ update process was hijacked by a Chinese-linked cyberespionage group between June and September 2025, allowing them to deliver malware.

Who is suspected of hacking Notepad++ updates?

The cyberespionage group Lotus Blossom, which has links to China, is suspected of being behind the campaign.

Was the Notepad++ attack widespread?

No, the attack was highly selective, indicating deliberate targeting of specific users rather than widespread distribution.

Home / Technology / Notepad++ Update Hijacked by Chinese Hackers

Notepad++ Update Hijacked by Chinese Hackers

3 Feb

•

Summary

Hackers hijacked Notepad++ update process to deliver malware.
The attack was selective, targeting specific users, not widespread.
Lotus Blossom, a Chinese-linked group, is suspected in the campaign.

Notepad++ Update Hijacked by Chinese Hackers

The popular code editing platform Notepad++, developed by Don Ho, became a target for a sophisticated cyberespionage campaign. A group linked to China, known as Lotus Blossom, compromised the platform's update process between June and September 2025. This breach allowed the attackers to distribute a custom backdoor and other malicious software to specific, targeted users.

The developer confirmed that the hackers had access to the update hosting server during this period, retaining credentials for some services until December 2, 2025. Cybersecurity firm Rapid7 identified Lotus Blossom as the likely perpetrator, noting their history of targeting critical sectors since 2009.

While the full extent of the breach remains unclear, the attack's selective nature suggests deliberate targeting. Researchers like Kevin Beaumont have noted potential links to organizations with interests in East Asia. The malware deployed could grant attackers interactive control over infected computers, serving as a launching point for further data theft and network intrusion.